# SharePoint Online via Restricted Application Access

### Overview

Movebot supports connecting to SharePoint Online using a restricted application configuration that limits access to a defined subset of SharePoint sites within the tenant.

This method introduces additional configuration complexity and is not recommended unless site-level access restriction is required.

{% hint style="warning" %}
We recommend only administrators familiar with Microsoft Entra, Microsoft Graph API, and application permissions perform this setup. Contact support before proceeding if unsure.
{% endhint %}

### When should this be used instead of full access?

If you require:

* Restricting access to a specific SharePoint site
* Compliance controls preventing tenant-wide SharePoint access

If you are not subject to the above requirements, follow the standard [SharePoint Online guide](/connections/sharepoint-online.md).

### Requirements

To configure this connection method, you will need:

* A Movebot account
* A Microsoft 365 administrator account
* Access to Microsoft Entra ID
* Access to Microsoft Graph Explorer

### How to Configure Restricted SharePoint Access

1. **Create the Application Registration in Entra**
   * Login to **Microsoft Entra** as an administrator and navigate to **App registrations**.
   * Click **New registration**.
   * Specify a name for the new application. Leave the remaining fields as default. Click **Register**.
   * Make note of the following values:
     * **Application (Client) ID** – required for Movebot configuration
     * **Directory (Tenant) ID** – required for Movebot configuration<br>

2. **Configure API Permissions**\
   \
   **Graph API**

   * **API Permissions → Add a Permission**
   * Select: **Microsoft Graph → Application Permissions**
   * Enable permission:

     ```
     Sites.Selected
     ```
   * Click **Grant admin consent**.

   **SharePoint API**

   * **API Permissions → Add a Permission**
   * Select: **SharePoint API→ Application Permissions**
   * Enable permission:

     ```
     Sites.Selected
     ```
   * Click **Grant admin consent**.<br>

3. **Create a Client Secret**
   * Navigate to: **Certificates & secrets → Client secrets → New client secret**
   * Create the secret and copy the **Client Secret Value**.
   * This will be required in Movebot.<br>

4. **Configure the Connection in Movebot**
   * The following information must be entered into the Movebot SharePoint connector:
     * **SharePoint Domain**
     * **Tenant ID**
     * **Application Client ID**
     * **Application Client Secret**<br>

5. **Upload the certificate from Movebot**

   Finally, you will need to generate and download the client certificate from Movebot and upload it to Azure for authentication.

   * Under Step 3: click the button **Generate and Download Certificate**. You should get a PEM file download from Movebot.
   * In Azure - Click **Certificates and Secrets -- > Certificates -- > Upload Certificate**
   * Upload the file created in step 1
   * The thumbprint in Azure should match the one shown in Movebot<br>

6. **Grant Site-Level Access Using Microsoft Graph**
   * The `Sites.Selected` permission alone does not grant access. Site-level permissions must be assigned explicitly.
   * Retrieve the Site ID. Open the following URL in your browser and replace the placeholders:

     ```
     https://<tenant>.sharepoint.com/sites/<siteName>/_api/site/id
     ```
   * Example:

     ```
     https://contoso.sharepoint.com/sites/Finance/_api/site/id
     ```
   * Copy the returned **Site ID (GUID)** value.<br>

7. **Sign in to Graph Explorer**
   * Navigate to: <https://aka.ms/ge>
   * Sign in with a Microsoft account.
   * Grant your user the following delegated permission:

     ```
     Sites.FullControll.All
     ```
   * **(This is required only to assign site permissions.)**<br>

8. **Assign Application Access to the Site**
   * Run the following request in Graph Explorer:\
     `POST` `https://graph.microsoft.com/v1.0/sites/{site_id}/permissions`
   * Replace `{site_id}` with the Site ID retrieved earlier.
   * Request Body:

     ```json
     {
       "roles": ["write"],
       "grantedToIdentities": [
         {
           "application": {
             "id": "<APPLICATION_CLIENT_ID>",
             "displayName": "<APPLICATION_DISPLAY_NAME>"
           }
         }
       ]
     }
     ```
   * A successful response returns:

     ```
     201 Created
     ```

9. **Assign Application Access to Root Site (Required)**

   * Run the following request in Graph Explorer:\
     `POST` `https://graph.microsoft.com/v1.0/sites/root/permissions`
   * Use the same request body format as above.
   * This ensures the application can resolve the SharePoint structure correctly.

### Important Notes

#### **Connection Test Behaviour**

When using restricted site scoping:

* The Movebot connection test may not validate all sites automatically.
* Only the specifically granted SharePoint site will be accessible.
* This is expected behaviour.

#### Permission Propagation Delay

Permission updates may not take effect immediately.

In some environments, it can take up to an hour before site access reflects the new configuration. If testing fails immediately after setup, wait and retry before troubleshooting further.

#### Site Mapping Requirement

When using restricted access:

* Site transfers must be mapped manually using [CSV Transfer Mapping](https://docs.movebot.io/using-movebot/transfer-mapping/import-csv-mappings).
* Only explicitly granted SharePoint sites are accessible.
* Access to other sites in the tenant will result in failures.

#### Supported Features

Certain features are unsupported using restricted access.

| Feature                       | Supported                         |
| ----------------------------- | --------------------------------- |
| SharePoint Document Libraries | Supported (no automatic creation) |
| Permissions                   | Not Supported                     |
| Versions                      | Fully Supported                   |
| Modtime Retention             | Fully Supported                   |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.movebot.io/connections/other-connectors/sharepoint-online-via-restricted-application-access.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.